File name:

SETUP.exe

Full analysis: https://app.any.run/tasks/3f73da96-29a6-435b-b563-a3c1d77e4e43
Verdict: Malicious activity
Analysis date: February 03, 2024, 15:33:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5:

EC6A6A7431C9A8E9BB88C03027B358D1

SHA1:

3D6598DA95AE6AE732A68CF0F3A7E0F1ABECEC0E

SHA256:

A93F018F6157CA6636B7B0F783A9D42F404D2F66BD9FE455712CF07AD7E2272A

SSDEEP:

98304:oNOG/IdR86YzIuQsJ22ki7XrZNlJ+uLrh4EksRU9TUAgGATg8mM6CGyCajLHEdSL:aFBd+n+d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • SETUP.exe (PID: 2628)
      • IKernel.exe (PID: 3248)
      • Setup.exe (PID: 2088)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SETUP.exe (PID: 2628)
      • Setup.exe (PID: 2088)
      • IKernel.exe (PID: 3248)

    • Application launched itself

      • IKernel.exe (PID: 3248)

  • INFO

    • Create files in a temporary directory

      • SETUP.exe (PID: 2628)
      • IKernel.exe (PID: 3248)

    • Checks supported languages

      • Setup.exe (PID: 2088)
      • SETUP.exe (PID: 2628)
      • IKernel.exe (PID: 3248)
      • IKernel.exe (PID: 1072)
      • IKernel.exe (PID: 3096)

    • Creates files in the program directory

      • Setup.exe (PID: 2088)
      • IKernel.exe (PID: 3248)

    • Reads the computer name

      • IKernel.exe (PID: 1072)
      • IKernel.exe (PID: 3248)
      • IKernel.exe (PID: 3096)
      • Setup.exe (PID: 2088)

    • Reads the machine GUID from the registry

      • Setup.exe (PID: 2088)
      • IKernel.exe (PID: 3248)

    • Reads Environment values

      • IKernel.exe (PID: 3248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2000:06:16 20:00:04+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 69632
InitializedDataSize: 98304
UninitializedDataSize: -
EntryPoint: 0x84a7
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.11.15.0
ProductVersionNumber: 2.11.15.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Tiny_0213
CompanyName: General
FileDescription: TNC0402.2003.04.02
FileVersion: 1.00.000
InternalName: stub32i.exe
LegalCopyright: -
OriginalFileName: stub32i.exe
ProductName: MyDSC
ProductVersion: 1.00.000
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start setup.exe setup.exe ikernel.exe no specs ikernel.exe ikernel.exe no specs setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
752"C:\Users\admin\AppData\Local\Temp\SETUP.exe" C:\Users\admin\AppData\Local\Temp\SETUP.exeexplorer.exe
User:
admin
Company:
General
Integrity Level:
MEDIUM
Description:
TNC0402.2003.04.02
Exit code:
3221226540
Version:
1.00.000
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
1072"C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe" -RegServerC:\Program Files\Common Files\InstallShield\engine\6\Intel 32\IKernel.exeSetup.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield (R) Setup Engine
Exit code:
0
Version:
6, 31, 100, 1190
Modules
Images
c:\program files\common files\installshield\engine\6\intel 32\ikernel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2088"C:\Users\admin\AppData\Local\Temp\pft353F~tmp\Disk1\Setup.exe"C:\Users\admin\AppData\Local\Temp\pft353F~tmp\Disk1\Setup.exe
SETUP.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield (R) Setup Launcher
Exit code:
0
Version:
6, 20, 100, 1362
Modules
Images
c:\users\admin\appdata\local\temp\pft353f~tmp\disk1\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2628"C:\Users\admin\AppData\Local\Temp\SETUP.exe" C:\Users\admin\AppData\Local\Temp\SETUP.exe
explorer.exe
User:
admin
Company:
General
Integrity Level:
HIGH
Description:
TNC0402.2003.04.02
Exit code:
0
Version:
1.00.000
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3096"C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVERC:\Program Files\Common Files\InstallShield\engine\6\Intel 32\IKernel.exeIKernel.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield (R) Setup Engine
Exit code:
0
Version:
6, 31, 100, 1190
Modules
Images
c:\program files\common files\installshield\engine\6\intel 32\ikernel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3248C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe -EmbeddingC:\Program Files\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
svchost.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield (R) Setup Engine
Exit code:
0
Version:
6, 31, 100, 1190
Modules
Images
c:\program files\common files\installshield\engine\6\intel 32\ikernel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
Total events
394
Read events
388
Write events
6
Delete events
0

Modification events

(PID) Process:(3248) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini
Value:
1
(PID) Process:(3248) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
Value:
1
(PID) Process:(3248) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
Value:
1
(PID) Process:(3248) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
Value:
1
(PID) Process:(3248) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Program Files\Common Files\InstallShield\IScript\iscript.dll
Value:
1
(PID) Process:(3248) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
Value:
1
Executable files
20
Suspicious files
12
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\pft353F~tmp\Disk1\layout.binbinary
MD5:928AECBA357045D61DA3E57976ABFD97
SHA256:794636658F16E377F6272ED7995DAF5710725683BFA7DDD5E0654B3E2FD8FCDF
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\plf351E.tmptext
MD5:19A2283172165182D05BBD5745372F62
SHA256:379ADDFC2E4A0309EC0526507D564FC79EEB6635963C0E84F10CB8B103036C54
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\pft353F~tmp\Disk1\data1.cabcompressed
MD5:0AF6574032E96B724AFDC8527C1D84C3
SHA256:43B5B41ABF20B989C41F2CDB44F4DE130D2ED867ABA40F469CC85EA17E71CF49
2088Setup.exeC:\Program Files\Common Files\InstallShield\engine\6\Intel 32\IKernel.exeexecutable
MD5:BF25EB6A1E0AA2FFF0CB190270B95418
SHA256:4535320C5B9596A6210109F68C647DBDBD0289BA63286FD389DEA910855491F1
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\pft353F~tmp\Disk1\Setup.initext
MD5:A848571EF69C8820FEC66E4AFAC27DDC
SHA256:FDC054E2653560EA9FE7941CDE407A52398DCDC5AC0B37EA131C4406A52E0C7B
2088Setup.exeC:\Program Files\Common Files\InstallShield\engine\6\Intel 32\temp.000executable
MD5:BF25EB6A1E0AA2FFF0CB190270B95418
SHA256:4535320C5B9596A6210109F68C647DBDBD0289BA63286FD389DEA910855491F1
3248IKernel.exeC:\Program Files\Common Files\InstallShield\engine\6\Intel 32\ctor3b0a.rraexecutable
MD5:003A6C011AAC993BCDE8C860988CE49B
SHA256:590BE865DDF8C8D0431D8F92AA3948CC3C1685FD0649D607776B81CD1E267D0A
3248IKernel.exeC:\Program Files\Common Files\InstallShield\engine\6\Intel 32\objectps.dllexecutable
MD5:8F02B204853939F8AEFE6B07B283BE9A
SHA256:32C6AD91DC66BC12E1273B1E13EB7A15D6E8F63B93447909CA2163DD21B22998
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\pft353F~tmp\pftw1.pkgcompressed
MD5:90365C4341FDA04FF6FA92AB506B7B0E
SHA256:2DA0E80B7C839A84E56C1A43CDA7434DD5F13F5D1C0FB0C78C29DE6852747795
3248IKernel.exeC:\Program Files\Common Files\InstallShield\engine\6\Intel 32\obje3b39.rraexecutable
MD5:8F02B204853939F8AEFE6B07B283BE9A
SHA256:32C6AD91DC66BC12E1273B1E13EB7A15D6E8F63B93447909CA2163DD21B22998
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SETUP.exe